OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
nscd poisoning?

From: Michael Loftis (mloftiswgops.com)
Date: Thu Jun 12 2003 - 00:15:50 CDT


I just experienced a very scary thing. An nscd instance on an
internal/mostly private machine picked up a bogus entry for localhost
matching the address 203.0.37.125 -- which the net admin there has
reversing to localhost. It seems to me we have a hacker with some sort of
new attack possibly?

The system is an RH7.3 base, with latest patches. As far as I know there
aren't any obvious vulns in the system here, and the information didn't
come from LDAP as the servers replication logs NEVER mentioned that
information, ever.

I know that there are some solutions to this (including editing
nsswitch.conf) but I wanted to know if anyone else has seen this? Replies
off-list or on-list (though I have a hard time following all the list
traffic...)

----------------------------------------------------------------------------
----------------------------------------------------------------------------